PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46115 Linux CVE debrief

CVE-2026-46115 is a Linux kernel vulnerability in the block layer's segment merging logic. The biovec_phys_mergeable() function, used by request merging, DMA mapping, and integrity merge paths, lacked a check for whether physically contiguous bvec segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk receives its own dev_pagemap. A single bio can contain bvecs from different pgmaps, and if these are physically contiguous, biovec_phys_mergeable() would incorrectly coalesce them. This makes it impossible to recover the correct pgmap for the merged segment via page_pgmap(), potentially causing data corruption or system instability. The fix adds a zone_device_pages_have_same_pgmap() check to prevent merging segments that span different pgmaps.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Organizations running Linux systems with zone device memory configurations, including persistent memory (Intel Optane, AMD 3D V-Cache), CXL.mem devices, or other memory-tiering implementations. Cloud providers and HPC facilities utilizing memory disaggregation or tiered memory architectures. Kernel maintainers and distribution packagers responsible for stable kernel backports.

Technical summary

The biovec_phys_mergeable() function in the Linux kernel block layer determines whether two physically contiguous bvec segments can be coalesced. It is invoked during request merging, DMA mapping setup, and integrity metadata merging. The function previously lacked validation that segments belong to the same dev_pagemap structure. Zone device memory (such as persistent memory or CXL.mem devices) registers each memory chunk with a separate dev_pagemap. The bio construction path in bio_iov_iter_get_pages() can fill a single bio with bvecs spanning multiple pgmaps when iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop continues. When biovec_phys_mergeable() coalesces such segments, page_pgmap() cannot correctly identify the originating pgmap for the merged region. The resolution introduces zone_device_pages_have_same_pgmap() to enforce pgmap boundary preservation during segment merging.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the fix for CVE-2026-46115 when available from your Linux distribution
  • For systems using zone device memory (e.g., persistent memory, CXL devices), prioritize patching to prevent potential data corruption
  • Verify that biovec_phys_mergeable() includes zone_device_pages_have_same_pgmap() check in deployed kernel versions
  • Monitor stable kernel changelogs for backport announcements to affected LTS branches
  • Review dmesg and block layer logs for any anomalies on systems with multiple zone device memory regions

Evidence notes

The vulnerability description indicates this was resolved in the Linux kernel with a patch adding pgmap boundary checking to biovec_phys_mergeable(). Multiple stable kernel commits are referenced, suggesting backports to affected versions. The issue specifically affects zone device memory configurations with multiple registration chunks.

Official resources

2026-05-28